INFO 4424 Health Care Supply Chain and Software Acquisition 3 credits

This course focuses on giving students a broad based understanding of the US health care supply chain and how IT systems can be used to optimize the inefficiencies in the system. This will include exposure to technologies such as RFID that are being employed to bring in deep level visibility in to the movement of medical supplies and devices in the supply chain. In particular, the course will develop an appreciation for the various associated issues (in particular, regulatory and behavioral) that usage of IT systems in health environments can pose and how IT managers must factor in these issues in deciding on software acquisition strategies. PREREQ: INFO 4411. D

This section provides a holistic outline of the knowledge and tasks required to manage risk for the outsourced development, acquisition, and procurement of software and related services (e.g., Cloud Computing, Mobile Application development). This domain defines what the expectations of an organization should be when acquiring software to assure third-party products will not act maliciously, whether intended or not, nor disrupt the organization's business and result in negative financial impact.
The learner applies their accumulated knowledge of the Secure Software Development Life Cycle (SDLC) to evaluate suppliers and communicate with them on security issues, including vulnerability management, service level agreement monitoring, and chain of custody throughout the source code development and maintenance life cycle. The successful learner will understand the legalities surrounding the use and reuse of open source libraries and the security vulnerabilities that may or may not exist in the code.
A. Supplier Risk Assessment (e.g., managing the enterprise risk of outsourcing)
 • Risk Assessment for Code Reuse
 • Intellectual Property (e.g., Open Source License, Closed Source License, Third Party Proprietary)
 • Legal Compliance
 • Supplier Pre-Qualification (e.g., assessment of software engineering/SDLC approaches, information systems security policy compliance)
B. Supplier Sourcing
 • Contractual integrity controls (e.g., audit of security policy compliance, vulnerability/incident response)
 • Vendor technical integrity controls for third-party suppliers (e.g. secure transfer, system sharing/interconnections, secure storage, code exchange)
 • Managed Services (e.g., cloud, outsourcing)
 • Service-Level Agreements (SLA's) (e.g., monitoring plans, KPIs, performance metrics, targets)
C. Software Development and Test
 • Technical Controls (e.g., code repository security, build environment security)
 • Code Testing and Verification (e.g., backdoor detection, embedded malware detection)
 • Security Testing Controls (e.g., peer review, secure code review)
 • Software Requirements Verification and Validation
D. 8.D. Software Delivery, Operations and Maintenance
 • Chain of Custody (e.g., each change and transfer made during the source codes lifetime is authorized, transparent and verifiable).
 • Publishing and dissemination controls (e.g., code signing, delivery, transfer, tamper resistance)
 • Systems-of-Systems integration (e.g., security testing and analysis)
 • Software Authenticity and Integrity (e.g., cryptographically hashed, digitally signed components, software integrity is verified at run-time)
 • Product deployment and sustainment controls (e.g., upgrades, secure configuration, custom code extension, operational readiness)
 • Monitoring and Incident Management (e.g., supplier, components, SLAs, IDS/IPS)
 • Vulnerability Management, Tracking and Resolution (e.g., patching)
 • 8.E. Supplier Transitioning (e.g., code escrow, data exports, contracts, disclosure)

NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service